Vulnerabilities

 2 via 2 paths

Dependencies

 16

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

critical severity
new

Arbitrary Command Injection

  • Vulnerable module: shell-quote
  • Introduced through: @generalov/open-in-editor@2.3.0

Detailed paths

  • Introduced through: open-in-editor-connect@generalov/open-in-editor-connect @generalov/open-in-editor@2.3.0 shell-quote@1.6.1

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Arbitrary Command Injection via the quote() function when object-token inputs containing line terminators (\n, \r, U+2028, U+2029) in the .op field are not properly validated. An attacker can execute arbitrary commands by supplying crafted input that includes line terminators, which are interpreted as command separators by POSIX shells. The vulnerable path is reachable in two ways: by direct construction from external input ({ op: '...\n...' }) or by untrusted input being passed to parse(cmd, envFn) by envFn.

Remediation

Upgrade shell-quote to version 1.8.4 or higher.

References

Arbitrary Command Injection vulnerability report

high severity

Remote Code Execution (RCE)

  • Vulnerable module: shell-quote
  • Introduced through: @generalov/open-in-editor@2.3.0

Detailed paths

  • Introduced through: open-in-editor-connect@generalov/open-in-editor-connect @generalov/open-in-editor@2.3.0 shell-quote@1.6.1

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Remediation

Upgrade shell-quote to version 1.7.3 or higher.

References

Remote Code Execution (RCE) vulnerability report